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SYSTEM AND METHOD FOR MAINTAINING CUSTOMER PRIVACY 



BACKGROUND OF THE INVENTION 

1. Field of The Invention 

The present invention relates generally to network privacy, and more particularly to a 
system and method for maintaining the privacy of institutional customers during network 
transactions. 

2. Related Art 

With the advent of the world wide web (i.e., the web) and Internet, the use of 
electronic commerce has exploded. In an effort to better market goods and services, 
technologies have been developed that track the patterns of individual consumers, or groups 
of consumers. Such information can be put to good use, namely by improving the quality of 
services, delivering differentiated services, improving customer retention, etc. Unfortunately, 
use of such technologies can also often result in personal information being unknowingly 
used, sold or otherwise disseminated, and may in most cases be considered a form of invasion 
of the consumers' privacy. 

Accordingly, one of the challenges of this new type of commerce is to provide privacy 
protection to consumers who use services on the Internet. One solution is to implement 
technologies that will allow consumers to engage in electronic commerce with complete 
protection of privacy and/or even complete anonymity. However, there are some instances 
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when complete privacy or anonymity between a consumer and an institution (e.g., a 
merchant, a service provider, a bank, etc) is not practical. For instance, a bank may be 
legally obligated to know the identity of a consumer conducting transactions with the bank. 
In addition, a consumer may want a merchant to know his or her identity during a business 
transaction in order to streamline the process. In these cases, encryption techniques, such as 
public key infrastructure (PKI) can be utilized to ensure that the information being transferred 
remains secure against eavesdroppers. 

A problem arises however in situations where institutions offer a combination of 
private services, such as on-line banking, and non-private or public services, such as 
shopping opportunities. For example, a merchant web page may include a web portal giving 
access to a variety of services and information delivered by the merchant or other parties. In 
such cases, the merchant has the ability to observe the interaction between the customer and 
the web pages accessed through the portal. Because the exact identity of the customer is 
known, the possibility exists of exploiting personal information, which may result in an 
invasion of the customer's privacy. Similar problems arise in the case of business customers. 
For instance, observation of the web behavior may allow one to guess the commercial 
strategy of a business customer. 

To combat this potential exploitation, some companies have adopted strict policies 
that forbid themselves from observing their customers' web behavior. It is however 
important to recognize that tracking the overall trends of consumers not only helps the 
merchant improve their business, but it also helps the customer to be better served. 
Accordingly, the ability to gather and utilize business intelligence helps commercial 
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efficiency. Thus, there exists a need to provide capabilities for gathering business 
intelligence on the Internet while protecting the privacy of consumers, particularly in the case 
where the consumer's identity is known to the institution providing goods and/or services. 

SUMMARY OF THE INVENTION 

The present invention provides a system and method that will allow for the gathering 
of business intelligence information in a network environment in a manner that will ensure 
the privacy of a consumer even in a case where the consumer must reveal his or her identity. 

In a first aspect, the invention provides a system for delivering institutional data to a 
customer, comprising: an institutional server, wherein the institutional server includes a 
system for separately serving a first database containing private data and a second database 
containing public data; a service provider, wherein the service provider includes a system for 
receiving an encrypted version of the private data and an unencrypted version of the public 
data; and a client, wherein the client includes a system for displaying a merged version of the 
private and public data. 

In a second aspect, the invention provides a method of preserving privacy between a 
customer and an institution in a computer network environment, comprising the steps of; 
separating data associated with the institution into a first database of private data and a 
second database of public data; storing an encrypted copy of the private data and an 
unencrypted copy of the public data with an intermediary service provider; providing to the 
customer a security system that allows the customer to decrypt the encrypted data and remain 
anonymous to the intermediary service provider; merging the encrypted copy of the private 
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data and the unencrypted copy of the public data; and providing an interface that will allow 
the customer to view the merged data. 

In a third aspect, the invention provides a method of preserving privacy between a 
customer and an institution in a computer network environment, comprising the steps of: 
separating data associated with the institution into a first database of encrypted private data 
and a second database of public data; loading an unencrypted copy of the public data to a 
service provider; loading to a client the encrypted private data from the institution and the 
unencrypted copy of the public data from the service provider; providing to the customer a 
security mechanism that will allow the customer to decrypt the encrypted data and remain 
anonymous to the service provider; and providing an interface that allows the customer to 
view the encrypted copy of the private data and the unencrypted copy of the public data. 

In a fourth aspect, the invention provides program product stored on a recordable 
medium that preserves privacy between a customer and an institution in a computer network 
environment, comprising: a system for separating data associated with the institution into a 
first database of encrypted data and a second database of unencrypted data; a system for 
providing a copy of the second database of unencrypted data to an intermediary service 
provider; an interface that allows the customer to view the first database of encrypted data 
and the copy of the second database of unencrypted data provided to the intermediary service 
provider; and a security system that allows the customer to decrypt the encrypted data and 
remain anonymous to the intermediary service provider. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The preferred exemplary embodiment of the present invention will hereinafter be 
described in conjunction with the appended drawings, where like designations denote like 
elements, and: 

5 Figure 1 depicts a graphical user interface displaying private and public data in 

accordance with the present invention. 

Figure 2 depicts a block diagram of a privacy system in accordance with a first 
embodiment of the present invention. 
!=«$ Figure 3 depicts a block diagram of a privacy system in accordance with a second 

1 0 h| embodiment of the present invention. 

;| DETAILED DESCRIPTION OF THE INVENTION 

□ Referring now to Figure 1, an exemplary graphical user interface (GUI) 100 is 

Q depicted showing a web page for a financial institution (Bank XYZ). GUI 100 includes a 
; s *f private window 102 for displaying private data relating to a customer account, and a public 
1 5 window 104 for displaying non-private or public data available by or through the financial 

institution. As will be described in further detail below, the present invention provides a 
mechanism for anonymously gathering information regarding the use of the public data by 
the consumer, even though the consumer's identity is known by the private window 102. 
As can be seen, the private window 102 includes sensitive data relating to account 
20 information for consumer Joe Smith, as well as options for performing sensitive transactions 

relating to banking services. For example, the customer has the ability to pay bills or transfer 
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funds by selecting the appropriate options. Because of the nature of the data being 
transferred back and forth between the consumer and the institution in private window 102, 
private data is preferably processed in an encrypted format in order to maintain consumer 
privacy. The specific implementations for handling private data are described in further 
detail below. 

In contrast, public window 104 includes non-sensitive information and hypertext links 
to other web pages where further details regarding each of the selections can be obtained. In 
an exemplary embodiment, public window 104 may comprise a web portal. Because the data 
displayed in public window 104 does not contain sensitive information, the data does not 
need to be encrypted. Thus, valuable business intelligence information (e.g., consumer 
interests, etc.) can be obtained from public window 104 by tracking the behavior of the 
consumer. In order to ensure privacy, the identity of the consumer, which is available for 
transactions in private window 102, is not made available for transactions occurring through 
public window 104, To accomplish this, the two windows 102 and 104 are operationally 
distinct and receive their data through separate channels, which is then merged together at the 
GUI 100. 

It should be understood that although the present invention is described with respect 
to private and public data, the invention can apply to any system in which there exists 
different types of downloadable data. In addition, it should be understood that GUI 100 is 
presented for exemplary purposes only, and other configurations and/or types of interfaces for 
displaying private and public data could be used. 
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Referring now to Figure 2, a system for handling private data and public data to 
achieve the above-mentioned goals is shown. The system essentially comprises a client 10, a 
service provider 12, and an institution 14. Client 10 provides an interface through which 
customer 1 1 can obtain data from institution 14 and may comprise, for example, a web 
5 browser, a web phone, a personal digital assistant, etc. Institution 14 may comprise any 

provider of goods and/or services that distributes both private data 16 and public data 18 
(collectively referred to as institutional data). Institution 14 may comprise, for example, a 
bank, a stock broker, a merchant, etc. 
, 3 In order to ensure privacy between the customer 1 1 and the institution 14, service 

10 i provider 12 acts as an intermediary source of the institution's private data 16 and public data 
: ' ! 18. Accordingly, when a customer 1 1 requests information from institution 14, the 
*j information is passed from institution 14 in the form of private data 16 and/or public data 18 
i. ;j to service provider 12. Service provider 12 then forwards the data to a merge system 32 
3 which merges the data for display on GUI 100 within client 10. Although shown as a 
15 separate system, merge system 32 could likewise be incorporated into client 10, or service 

provider 12. 

As noted, the system seeks to address several goals. A first goal is that private data 
16 provided by institution 14 must be delivered to customer 1 1 in a secure environment such 
that the nature of the transaction, and information relating thereto, is kept private between the 
20 customer and institution 14. A second goal is to deliver public data 18 from the institution 14 

to the customer 1 1 in an unsecured format that will allow for the collection of business 
intelligence while protecting the identity of customer 1 1 . In order to achieve these goals, 
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customer 1 1 and/or client 10 are provided with a pair of keys 37 and 38 from institution 14. 
The first key 37 allows client 10 to decrypt encrypted private data originating from institution 
14. In this embodiment, private data 16 is encrypted with encryption system 23 and is then 
passed to service provider 12. Accordingly, service provider 12 cannot access the private 
data 16 being routed to client 10 since service provider 12 only maintains an encrypted copy 
of private data 24. Any type of cryptography may be used to secure private data 16, including 
using secret key cryptography or private key/public key pairs, which are well known in the 
art. 

The second key 38 provided to client 10 is utilized to maintain an anonymous 
relationship with service provider 12 and perhaps determine the level of services available to 
customer 11. Specifically, service provider 12 includes a security system 30 that is 
configured to operate with the second key 38 in order to ensure that the identity of customer 
1 1 cannot be known to service provider 12 or institution 14. When public data 18 is 
requested by client 10, a copy of the public data 26 is loaded to service provider 12, and 
served to client 10 by server 29. In order to gather business intelligence information, service 
provider 12 includes an analysis and reporting system 28 that can examine the requests and 
trends of customer 1 1 made with regard to the copy of the public data 26. Because the 
customer's identity is not known to service provider 12, there is no threat of invading the 
privacy of customer 1 1 . 

Several protocols and commercial models exist that allow communication on the 
Internet with complete anonymity. One example is given on the home page of the NetBill 
Security and Transaction Protocol, entitled "Maintaining Privacy In Electronic Transactions" 
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by Benjamin T.H. Fox, which can be obtained on the Internet at <www.ini.cmu.edu/netbill>. 
The use of the second key 38 may be complemented by a password, for instance chosen by 
customer 1 1 at the time of first use of the service. Additionally, the second key 38 may be 
hidden in secure hardware (e.g., security system 30). Notice that the use of secure hardware 
may allow solutions such as verification of the password in the hardware before it can be 
used for communications and/or transactions. Moreover, the use of such secure hardware, 
from smart cards to the most secure IBM 4758 PCI cryptographic coprocessor, may allow for 
the elimination of a password for the communication with service provider 12. 

It should be recognized that in the case where institution 14 is acting as a portal, some 
of its public data 18 may originate from external data sources 22, such as other web sites. 
Similarly, service provider 12 may also provide other external data sources 34 in addition to 
the copy of public data 26 received by institution 14. Furthermore, institution 14 may include 
a security system 20 responsible for, among other things, distributing keys 21 to new 
customers. Institution 14 may also comprise a server 25 for serving the private data 16 and 
public data 18, as well as a data separation system 27 for maintaining separate databases of 
private and public data. 

Referring now to Figure 3, an alternate embodiment of the privacy system is depicted. 
In this setting, institution 14 comprises the same features and functionality as described with 
respect to the system shown in Figure 2. In this case, however, service provider 44 does not 
maintain a copy of the encrypted private data. Instead, service provider 44 only maintains a 
copy of the public data 60, and the private data 16 is downloaded directly to client 10. The 
private data 16 and copy of public data 60 are then merged at client 10 with merge system 76. 
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Similar to the embodiment depicted in Figure 2, client 10 includes a first key 37 that 
allows the customer to view encrypted private data 16 downloaded directly from institution 
14. In addition, client 10 includes a second key 38 that allows the identity of customer 1 1 to 
remain anonymous to service provider 44. As in the previous case, the second key 38 is 
configured to operate with security system 72 on service provider 44 to ensure anonymity. 
Service provider 44 likewise includes an analysis and reporting system 66 that allows 
business intelligence to be gathered without knowing an identity of customer 1 1 . 

It is understood that the present invention can be realized in hardware, software, or a 
combination of hardware and software. The components as described herein can be realized 
in a centralized fashion in a single computerized workstation, or in a distributed fashion 
where different elements are spread across several interconnected computer systems (e.g., a 
network). Any kind of computer system - or other apparatus adapted for carrying out the 
methods described herein - is suited. A typical combination of hardware and software could 
be a general purpose computer system with a computer program that, when loaded and 
executed, carries out the methods described herein. Alternatively, a specific use computer, 
containing specialized hardware for carrying out one or more of the functional tasks of the 
invention could be utilized. The present invention can also be embedded in a computer 
program product, which comprises all the features enabling the implementation of the 
methods described herein, and which - when loaded in a computer system - is able to carry 
out these methods. Computer program, software program, program, module, mechanism or 
software, in the present context mean any expression, in any language, code or notation, of a 
set of instructions intended to cause a system having an information processing capability to 
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perform a particular function either directly or after either or both of the following: (a) 
conversion to another language, code or notation; and/or (b) reproduction in a different 
material form. 

The foregoing description of the preferred embodiments of this invention has been 
presented for purposes of illustration and description. It is not intended to be exhaustive or to 
limit the invention to the precise form disclosed, and obviously, many modifications and 
variations are possible. Such modifications and variations that may be apparent to a person 
skilled in the art are intended to be included within the scope of this invention as defined by 
the accompanying claims. 
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